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(OGC) (FBI) 


From: Caproni, Valerie E. (OGC) (FBI) 

Sent: Thursday, May 12, 2005 12:17 PM 

To: | | (OGC) (FBI); KELLEY, PATRICK W. (OGC) (FBI);| 

HTT CiGC) (FB I ) 1 1 


Cc: 

Subject: RE: QFR 
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O riginal Message 

From: ! I (OGC) (FBI) 

Sent: Thursday, May 12, 2005 12:08 PM 

To: KELLEY, PATRICK W. (OGC) (FBI); Caproni, Valerie E. (OGC) (FBI)f 

(FBI) 

Cc: j | (OGC) (FBI) 

Subject: RE: QFR 


](OGC) 


UNCLASSIFIED 

NON-RECORD 


I am nervous about mentioning PIA in context of national security systems. It is true the FBI currently 
reguires PIAs for NS systems as well as non-NS systems. However, the recent statutory PIA requirement 
(E-Gov Act) and implementing OMB regs expressly exclude NS systems from this requirement. Among 
other things, creating PIAs for major systems like VCF can entail substantial costs. Accordingly we have 
had preliminary staff musings that maybe we should now move to limit FBI PIA requirements to non-NS 
systems, and our plan is to surface this question for a decision by the Director. (But we probably will also 
him the option of still doing some sort of internal privacy policy scrub on NS- systems, though less onerous 
than PIA and called something else.) 


But given possibility that in near future Director might opt to forego PIAs for NS systems, I recommend 
against raising congressional consciousness levels and expectations re NS PIAs. Plus as suggested by 
Pat's comments, it's entirely possible that we haven't done a PIA on at least some of the systems where 
the instant data resides/will reside. (We have done a number of PIAs on IDW, but not on ACS or on 


numerous case specific databases.) 

Original Message 

From: KELLEY, PATRICK W. (OGC) (FBI) 
Sent: Thursday, May 12, 2005 10:16 AM 
To: Caproni, Valerie E. (OGC) (FBI) | 

(FBI) 

Subject: RE: QFR 
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UNCLASSIFIED 

NON-RECORD 


The following isn't quite correct. 

"We do not expect that extraneous, irrelevant data will be entered into our databases, but, to the 
extent such information is added to a database, all databases are subject to review purs uan t to a 
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Privacy Impact Assessment. " We don't subject every database to a privacy impac assessment. 
Systems, such as ACS, that were extant when we began the PIA process were grandfathered in; 
hence, only new, significant sytems are subject to review under our current regs. If a system has 
gone through a PIA and been approved, then the addition of new information won't necessarily 
trigger the need for another review. Certainly, if the additions are significant or alter the nature of 
the system or its uses, then another PIA is warranted. So, I think you would want to change the 
statement to something like: "We do not intentionally add extraneous, irrelevant data to our record 
systems and attempt to include safeguards against doing so in their design and operation. We 
employ a Privacy Impact Analysis process to review significant new systems or the addition into 
existing systems of significant new data in an effort to balance our investigative needs with the 
privacy interests of the citizentry." 


Original Message 

From: Caproni, Valerie E. (OGC) (FBI) 

Sent: Wednesday, May 11, 2005 6:28 PM 
To: KELLEY, PATRICK W. (OGC) (FBI)I 
A. (OGC) (FBI) 

Subject: QFR 

UNCLASSIFIED 
NON-RECORD 

I played around a little with the wording of this answer. Is the answer still correct? I would like still 
like to slide something in about PIA to give him a sense that we really do worry about the privacy 
interests of uninvolved people whose data we slurp up. Any suggestions would be appreciated. 
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